GuestBook |  PDS  |  WebGame  |  Crypt

PsConvertToGuiThread

System & Kernel 2006/12/02 15:57

NTSTATUS
NTAPI
PsConvertToGuiThread(VOID)
{
  //Recoded by Dual
  __asm
  {
  push 0x38 //KGDT_R3_TEB?
  push 0x804FCBE8
  call 0x804e443b     //Chagea asa Paged Memory?

  mov eax,dword ptr fs:0x124  //KPCR_CURRENT_THREAD
  mov esi,eax
  xor ebx,ebx  //ebx = 0;

  //Check Kernel Mode
  cmp byte ptr[esi+0x140],bl //KTHREAD_PREVIOUS_MODE,kernelmode
  jz InvalidParam
 
  cmp dword ptr[0xBF820ECE],ebx //PspWin32ProcessCallback?
  jz AccessDenied

  cmp dword ptr[esi+0xE0],KeServiceDescriptorTable //KTHREAD_SERVICE_TABLE
  jnz AlreadyWin32

  mov eax,dword ptr[esi+0x44] //Stack ?
  mov dword ptr[esp-0x20],eax //What the fuck?
 
  cmp byte ptr [esi+0x142],bl //Check stack?
  jnz AlreadyLargeStack

  xor eax,eax
  mov al,byte ptr[esi+0xDF]

  push eax
  push 1
  call 0x804FC357
  mov edi,eax

  cmp edi,ebx //Check Return
  jz BeforeNoMemory

  mov cl,0x1
  call dword ptr[0x804d9674] //KeEnterCriticalRegion

  mov byte ptr[ebp-0x19],al
  lea eax,dword ptr[edi-0x3000]
 
  push eax
  push edi
  call 0x804e4c1c //KeSwitchKernelStack?

  mov edi,eax
  mov cl,byte ptr[ebp-0x19]
  call dword ptr[0x804d969c] //KeLeaveCriticalRegion

  push ebx //False
  push edi //OldStack
  call 0x804eb9d9 //MmDeleteKernelStack

AlreadyLargeStack:
  mov eax,dword ptr[0x8056328c] //Process->Win32Process

  cmp eax,ebx //Null?
  jnz NotWin32Process

  push 1 //TRUE
  push dword ptr[ebp-0x20] //Process
  call dword ptr[0x8068E890] //PspWin32ProcessCallback

  cmp eax,ebx //Success?
  jl ReturnN
 
  mov dword ptr[esi+0xE0],BackupShadow //Thread->Tcb.ServiceTable
 
  push ebx //TRUE
  push esi //Thread
  call dword ptr[0x8068e894] //PspWin32ThreadCallback

  cmp eax,ebx //Success?
  jl ItzSDT
  call BeforeReturn
  retn
 
NotWin32Process:
  test byte ptr[eax+0x4],1
  je ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ItzSDT:
    mov dword ptr[esi+0xE0],KeServiceDescriptorTable
    jmp ReturnN

BeforeNoMemory:
  mov dword ptr[ebp-0x4],ebx
  mov eax,dword ptr fs:0x18
  mov dword ptr[ebp-0x24],eax
  mov dword ptr[eax+0x34],8 //ERROR_NOT_ENOUGH_MEMORY
  jmp NoMemory

BeforeReturn:
    mov ecx,dword ptr[ebp-0x10]
    mov dword ptr fs:0,ecx
    pop ecx
    pop edi
    pop esi
    pop ebx
    leave
    push ecx
    retn

InvalidParam:
  mov eax,0xC000000DL //STATUS_INVALID_PARAMETER
  jmp ReturnN

AccessDenied:
  mov eax,0xC0000022L //STATUS_ACCESS_DENIED
  jmp ReturnN

AlreadyWin32:
  mov eax,0x4000001BL //0xSTATUS_ALREADY_WIN32
  jmp ReturnN

NoMemory:
  or dword ptr[ebp-0x4],0xFFFFFFFFL
  mov eax,0xC0000017L //STATUS_NO_MEMORY
  jmp ReturnN

ReturnN:
  call BeforeReturn
  retn
  }
/////////////////////////////////////////////////// 
}

받은 트랙백이 없고, 댓글 하나가 달렸습니다.

트랙백 주소 :: http://dual5651.hacktizen.com/tt/trackback/223

댓글을 달아 주세요

  1. 구라 2008/10/15 11:22  댓글주소  수정/삭제  댓글쓰기

    듀얼님 PsConvertToGuiThread() 본 함수의 어셈블리 코드는 어떻게 작성하는겁니까? 전 windbg에 VirtualPc로 듀얼님 처럼 어떻게 좀 나오게 할려고 해도 안되던데요. 한수 부탁드립니다.

◀ 이전페이지 1 ... 76 77 78 79 80 81 82 83 84 ... 258 다음페이지 ▶